Important Information for CSP Microsoft Integrations
Table of Contents
Microsoft 365 Management features are currently in EA (Early Access). Click here to participate.
This document describes some important prerequisites for integrating Syncro with Microsoft as a Cloud Solution Provider (CSP). (For instructions, see Integrate Microsoft.)
You can either integrate:
- Your Microsoft Tenants in bulk through your CSP Microsoft 365 Tenant credentials and Microsoft Partner Center GDAP relationships, or
- Each Microsoft Tenant as a Single Tenant using a unique Global Administrator account for each individual Microsoft 365 Tenant.
WARNING: Attempting to connect a CSP Microsoft 365 Tenant using the Single Tenant option will cause the integration to fail. If you have a CSP Microsoft 365 Tenant, we strongly recommend that you choose the Cloud Solution Provider option. Using both methods to connect Microsoft Tenants will generate connectivity errors.
Required Permissions
Connecting to Microsoft 365 Tenants through a CSP Microsoft 365 Tenant requires specific Microsoft Partner Center configurations and the authenticating user must meet certain requirements.
Tip: If you use Microsoft SSO to log into Syncro, be certain that your Syncro user login has all the required permissions for integration. The authenticating user must:
- Be a CSP Microsoft 365 Tenant Global Admin,
- Have Admin Agent privileges,
- Be a member of the Admin Agents Security Group,
- Be a member of the Security Group(s) associated with the appropriately privileged GDAP relationships with the Microsoft 365 Tenant (see below), and
- Be prompted by Entra ID MFA when authenticating. (Microsoft does not allow access to Microsoft 365 Tenants via GDAP using third-party MFA applications.)
In Microsoft Partner Center, each Microsoft 365 Tenant must have:
- A GDAP relationship with either a Global Administrator privilege or ALL of the following specific privileges:
- COLLABORATION:
- Exchange Administrator
- Cloud App Security Administrator
- Teams Administrator
- SharePoint Administrator
- DEVICES:
- Intune Administrator
- Cloud Device Administrator
- IDENTITY:
- Privileged Authentication Administrator
- Privileged Role Administrator
- User Administrator
- Application Administrator
- SECURITY & COMPLIANCE:
- Security Administrator
- Authentication Policy Administrator
- COLLABORATION:
- The GDAP relationship assigned to a CSP Microsoft 365 Tenant Security Group and the appropriate roles (described above) selected. For step-by-step instructions, see Configure GDAP in the Microsoft Partner Center.
For example, if your CSP account can access 100 Tenants and you want to only integrate with 75, you'll need to add these roles to the 75 GDAPs that represent your desired, 75 Tenants. You'll need to go into each Tenant GDAP individually.
Tip: You only need to enable the above GDAP relationship for the Microsoft 365 Tenants you want to integrate. For example, if your CSP Microsoft 365 Tenant can access 100 Microsoft 365 Tenants and you only want to integrate 75, you'll need to create the GDAP relationship described above with the desired 75 Microsoft 365 Tenants in the Microsoft Partner Center.
Configure GDAP in Microsoft Partner Center
Watch this short video to see how it's done:
To set up the GDAP relationships and roles required to facilitate a CSP integration between Syncro and Microsoft, begin in Microsoft Partner Center.
Note: You can access the Microsoft Partner Center through the app in the Microsoft 365 Admin center, or directly by typing partner.Microsoft.com into your browser.
Request an Admin Relationship
- Once you're in the Microsoft Partner Center, click Customers:
- Select the hyperlinked Name of the customer with whom you want to create an Admin relationship:
- From the left navigation, choose Admin Relationships:
- If you don't already have an active Admin relationship with the appropriate roles or permissions to integrate with Syncro, click the Request for New Relationship link at the top to request a new one:
- Give the Admin Relationship a Name and set a Duration (in Days).
Tip: We recommend the maximum duration, which is 7:30.
Configure the Microsoft Entra Roles
This is where you'll configure the 12 permissions described in Required Permissions.
- Click the "Select Microsoft Entra Roles" link:
- Either use a global admin role, or use the more granular approach to specify the 12 different permissions or roles, as follows:
- In the Collaboration section, check the boxes for the Exchange Administrator and Cloud App Security Administrator. Also select the Teams Administrator and SharePoint Administrator roles:
- In the Collaboration section, check the boxes for the Exchange Administrator and Cloud App Security Administrator. Also select the Teams Administrator and SharePoint Administrator roles:
- Scroll down to the Devices section. Check the boxes for the Intune Administrator and Cloud Device Administrator roles.
- In the Identity section, check the boxes for the Privileged Authentication Administrator, Privileged Role Administrator, User Administrator, and Application Administrator roles.
- Scroll to the Security and Compliance section. Check the boxes for the Security Administrator and Authentication Policy Administrator roles.
- Click Save. You should now have 12 roles assigned:
IMPORTANT: Ensure that the roles are assigned correctly. If there's any inaccuracy, you'll need to repeat this step. Remember, you can't add roles after they've been assigned. - Select the Yes radio button to auto extend.
- Click Finalize Request.
Approve the Admin Relationship
Your customer or customer Admin will need to approve this relationship and its associated roles. Alternatively, if you're a global admin in that tenant, you can approve it yourself. Follow these steps for a self-approval:
- Navigate to the tenant you're creating a relationship for, and paste in the Request link:
This brings up a Consent Form:
Note: The Next button stays gray for about 15 to 30 seconds to ensure you're reading all the relevant information. Click the “Learn More” link during this time if you want, but either way you'll need to wait for about 30 seconds. - Once the button is available, click Next.
- Review your requested roles again. This is a good opportunity to check that the 12 roles are present and correct.
- Click Next again.
- Click Accept.
- Once you see a message confirming that you've accepted a partner relationship, navigate back to your tenant and click Done. You should see the Syncro integration is now active and enabled:
Add a Security Group
Next, it's important that users in your tenant can use this Admin relationship and the roles they're in. To set this up, follow these steps:
- Click your newly created Admin Relationship Name. Once again, you'll see the roles available through the relationship.
- Scroll to the Security Groups section at the bottom. If you already have a security group assigned, ensure that it contains all of the required roles. Or, you click "+Add Security Groups" to create a new one. Let's create a new one called Developers:
- Check the box at the top to select all the roles and assign them to the Developers security group:
- If you have other groups, check their roles to ensure they're correct. It's important that the user you're using for the Microsoft CSP Integration process is in BOTH the Admin Agents group and any other security group that holds the necessary permissions.
IMPORTANT: The user MUST be a part of both groups. If you apply the required roles to the Admin Agents security group, the user can simply be a member of this group. - Once you've confirmed this, refresh the page and verify that the new Developers security group is active:
You've now successfully set up the GDAP relationship with your customer, assigned the appropriate roles, and assigned security groups to that relationship. Additionally, you've ensured that these security groups have the appropriate roles to perform the integration.
You can now integrate with Microsoft as a CSP.
Additional Resources
For more information about configuring GDAP relationships in Microsoft Partner Center, refer to the following Microsoft Learn articles: